Azure Active Directory best practices for monitoring

Question

Azure Active Directory best practices for monitoring

Eddie_Hernandez 1

Hello. I've been tasked with figuring out what security related events we're collecting in Azure Active Directory, then finding the difference between that and best practices. The goal being to pull those events to our external monitoring tool using the Graph API.

Is there a 'Best Practices' list of events for Azure AD?

It seems like I can only send certain event categories to a workspace for the API to pull from, is there no way to send specific events to a workspace?

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2021-08-11T00:32:10.507+00:00

Hi, we are investigating your issue and will update you shortly.

Best,
James

1 answer

Your answer

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2021-08-11T00:32:10.507+00:00

Hi, we are investigating your issue and will update you shortly.

Best,
James

Answer 1

James Hamil 27,221 Microsoft Employee Moderator

Hi @Eddie_Hernandez , there aren't any official "Best practices" per say, as it differs depending on what your application is. Most people use sign in logs the most but other than that it's up to you. Can you explain more by what you mean about sending specific events to a workspace?

Thank you,
James

Eddie_Hernandez 1 Reputation point

2021-08-13T13:09:45.07+00:00

In previous SIEMS we didn't want everything from systems, so we would collect specific Windows Event IDs. Such as those in https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor. However, it seems like Azure AD only provides categories to be sent to workspaces, those categoriees each containing a group of event IDs.

Share via

Azure Active Directory best practices for monitoring

1 answer

Your answer